william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Route DNS based on service visibility flags

Browse source 
Replace wildcard DNS with dynamic service-based routing that reads
from shared/services.nix. Public services (forgejo, vaultwarden,
nextcloud) point to trantor's public IP for external access, while
private services (kanidm, jellyfin) point to tailscale IPs for
internal-only access. This provides granular control over service
exposure without manual DNS management.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
William 2025-11-09 11:20:21 -03:00
parent 878c4aa3ea
commit ad9d565a8f
2 changed files with 49 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
shared/services.nix
View file

@ -8,7 +8,6 @@
name = "kanidm"; name = "kanidm";
domain = "auth.baduhai.dev"; domain = "auth.baduhai.dev";
host = "alexandria"; host = "alexandria";
public = false;
lanIP = "192.168.15.142"; lanIP = "192.168.15.142";
tailscaleIP = "100.76.19.50"; tailscaleIP = "100.76.19.50";
port = 8443; port = 8443;
@ -43,7 +42,6 @@
name = "jellyfin"; name = "jellyfin";
domain = "jellyfin.baduhai.dev"; domain = "jellyfin.baduhai.dev";
host = "alexandria"; host = "alexandria";
public = false;
lanIP = "192.168.15.142"; lanIP = "192.168.15.142";
tailscaleIP = "100.76.19.50"; tailscaleIP = "100.76.19.50";
port = 8096; port = 8096;

74
terranix/cloudflare/baduhai.dev.nix
View file

@ -3,7 +3,38 @@
# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage # AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage # AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
{ config, ... }: { config, lib, ... }:
let
inherit (import ../../shared/services.nix) services;
# Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git")
getSubdomain = domain: lib.head (lib.splitString "." domain);
# Generate DNS records for services
# Public services point to trantor's public IP
# Private services point to their tailscale IP
mkServiceRecords = lib.listToAttrs (
lib.imap0 (i: svc:
let
subdomain = getSubdomain svc.domain;
targetIP = if svc.public or false
then config.data.terraform_remote_state.trantor "outputs.instance_public_ip"
else svc.tailscaleIP;
in {
name = "service_${toString i}";
value = {
zone_id = config.variable.zone_id.default;
name = subdomain;
type = "A";
content = targetIP;
proxied = false;
ttl = 3600;
};
}
) services
);
in
{ {
terraform.required_providers.cloudflare = { terraform.required_providers.cloudflare = {
@ -48,31 +79,24 @@
}; };
resource = { resource = {
cloudflare_dns_record.root = { cloudflare_dns_record = mkServiceRecords // {
zone_id = config.variable.zone_id.default; root = {
name = "@"; zone_id = config.variable.zone_id.default;
type = "A"; name = "@";
content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; type = "A";
proxied = false; content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
ttl = 3600; proxied = false;
}; ttl = 3600;
};
cloudflare_dns_record.www = { www = {
zone_id = config.variable.zone_id.default; zone_id = config.variable.zone_id.default;
name = "www"; name = "www";
type = "A"; type = "A";
content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
proxied = false; proxied = false;
ttl = 3600; ttl = 3600;
}; };
cloudflare_dns_record.wildcard = {
zone_id = config.variable.zone_id.default;
name = "*";
type = "A";
content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip";
proxied = false;
ttl = 3600;
}; };
}; };
} }